The Manage Banned Hashes page lets you add, manage, and get information about process hash bans created on your Carbon Black EDR server.
Table of Bans – Any hash bans that have been created on your Carbon Black EDR server are listed in a table, including bans that are enabled and bans that are not currently enabled. An indicator at the top-right corner of the page shows the total number of bans (both enabled and disabled) that have been created.
Access to Additional Ban Information – Some information about each ban is shown in the table rows, and additional information is available through drill-down features for each ban.
Toggling of Ban Status – The status of each ban is displayed in the Banned column. You can enable or disable any ban.
Ban More Hashes – This button opens the Add Hashes to Ban List dialog, where you can enter one or more hash values to create new bans.
The table of hashes lists each hash that has been created on this server. You can also search for hash bans by the MD5 hash of the process, and you can control the display of the entire table using the following controls:
View – You can click different buttons in the View field to display All bans (the default), currently Banned hashes, and Previously Banned hashes (ban disabled).
Sort By – You can sort the table by MD5 hash (default), Date Added , or User. Radio buttons change the sort order from ascending to descending.
The following table describes fields on this page. The table data that reports on blocks caused by bans requires that the Banning Events feed on the Threat Intelligence Feeds page is enabled. (See Threat Intelligence Feeds.)
Column |
Description |
---|---|
Hash |
The MD5 hash of the process that is or was banned. Clicking on the hash opens the Binary Details page for the hash. |
Notes |
Any user-created notes about the ban or hash. |
Latest Block |
The length of time since the process identified by the MD5 hash was blocked on a system reporting to the Carbon Black EDR server. |
Total Blocks |
The total number of times this process has been blocked by the ban. |
Hosts w/ Blocks |
The number of systems on which this process was blocked at least once. If a host name appears, clicking on it opens the Sensor Details page for that host. |
Banned |
This checkbox controls the status of the ban. When the box is checked, the ban is enabled. When the checkbox is not checked, the ban is disabled. |
(more details) |
Click the blue down arrow icon to expand the row of a hash ban to provide additional details. |
When you expand the row for a ban using the blue down arrow, information about the ban and its process appears in the panel. You can also use navigation links to go to other pages for more information.
The following table describes the process hash ban details:
Column |
Description |
---|---|
Hosts / Processes |
Shows how many hosts have run the process identified by this MD5 hash and how many times the process ran before it was banned. |
Meta data |
The name of the Carbon Black EDR console user who created the ban, when the ban was added, and the date and time of the most recent block caused by the ban. Clicking the user name navigates to the table of users on the User Management page. |
Hosts |
The endpoints on which the process controlled by this ban has been blocked. |
Notes |
Any user-created notes about the ban or the hash. Notes can be edited. |
View ban history |
Opens a separate Ban History window that shows status changes (enabled, disabled) for the ban, who made them, and when they were made. |
(process search) |
Click the blue magnifying glass icon to go to the Process Search page with the search results for this process. |